From 7ea9dee0b1842ba322596109b85c1844bcbd195c Mon Sep 17 00:00:00 2001
From: Stefan Kopf <stefan.kopf@alfresco.com>
Date: Fri, 3 Mar 2017 10:43:55 +0000
Subject: [PATCH] REPO-2112 - Security: MNT-17545: HTTP Header Injection in
 ContentStreamer MNT-17545 - HTTP Header Injection in ContentStreamer

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@135560 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../web/scripts/content/ContentStreamer.java  | 36 +++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/source/java/org/alfresco/repo/web/scripts/content/ContentStreamer.java b/source/java/org/alfresco/repo/web/scripts/content/ContentStreamer.java
index 3991482802..3816c9ba69 100644
--- a/source/java/org/alfresco/repo/web/scripts/content/ContentStreamer.java
+++ b/source/java/org/alfresco/repo/web/scripts/content/ContentStreamer.java
@@ -477,7 +477,7 @@ public class ContentStreamer implements ResourceLoaderAware
                 if (req == null)
                 {
                     headerValue += "; filename*=UTF-8''" + URLEncoder.encode(attachFileName)
-                            + "; filename=\"" + attachFileName + "\"";
+                            + "; filename=\"" + filterNameForQuotedString(attachFileName) + "\"";
                 }
                 else
                 {
@@ -489,7 +489,7 @@ public class ContentStreamer implements ResourceLoaderAware
                     }
                     else
                     {
-                        headerValue += "; filename=\"" + attachFileName + "\"; filename*=UTF-8''"
+                        headerValue += "; filename=\"" + filterNameForQuotedString(attachFileName) + "\"; filename*=UTF-8''"
                                 + URLEncoder.encode(attachFileName);
                     }
                 }
@@ -500,6 +500,38 @@ public class ContentStreamer implements ResourceLoaderAware
             res.setHeader("Content-Disposition", headerValue);
         }
     }
+    
+    protected String filterNameForQuotedString(String s)
+    {
+        StringBuilder sb = new StringBuilder();
+        for(int i = 0; i < s.length(); i++)
+        {
+            char c = s.charAt(i);
+            if(isValidQuotedStringHeaderParamChar(c))
+            {
+                sb.append(c);
+            }
+            else
+            {
+                sb.append(" ");
+            }
+        }
+        return sb.toString();
+    }
+    
+    protected boolean isValidQuotedStringHeaderParamChar(char c)
+    {
+        // see RFC2616 section 2.2: 
+        // qdtext         = <any TEXT except <">>
+        // TEXT           = <any OCTET except CTLs, but including LWS>
+        // CTL            = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
+        // A CRLF is allowed in the definition of TEXT only as part of a header field continuation.
+        // Note: we dis-allow header field continuation
+        return     (c < 256)  // message header param fields must be ISO-8859-1. Lower 256 codepoints of Unicode represent ISO-8859-1
+                && (c != 127) // CTL - see RFC2616 section 2.2
+                && (c != '"') // <">
+                && (c > 31);  // CTL - see RFC2616 section 2.2
+    }
 
     /**
      * Set the cache settings on the response